Whenever you visit our websites, information may be collected using cookies and similar tools to improve your user experience and to enhance the performance of the website.
Closing this message means you accept the use of cookies.
Research Report: Assessing Cyber Supply Chain Security Vulnerabilities Within the U.S. Critical Infrastructure
ESG Research Report
Nov 28, 2010
The primary objective of this ESG research study was to survey Critical Infrastructure and Key Resources (CIKR) organizations in order to qualify and quantify the current status of their existing security profiles as well as their awareness of and programs dealing with cyber supply chain security.
To assess cyber supply chain assurance, ESG asked 285 security professionals to respond to questions in areas such as:
1. Risk management
Has the organization experienced any security breaches? If so, what was the impact?
How would respondents rate the security threat landscape now as compared to two years ago? Do respondents expect the threat landscape to get worse over the next two years?
How well prepared is the organization for the current threat landscape?
Is executive management supporting and investing in cyber security?
2. Procurement
How important are IT vendors’ security processes in customers’ procurement decisions?
Do CIKR organizations audit the development processes of vendors before purchasing IT products? If so, is there a common model for these audits? Are these standard activities and processes across the enterprise?
Do IT vendors assume any liabilities for faulty or compromised products?
Do CIKR organizations hold system integrators accountable for the overall security of the systems they design, deploy, operate, and manage? If so, how?
To the best of their knowledge, have CIKR organizations purchased any counterfeit IT hardware/software over the past 12 months?
3. Software development
Do CIKR organizations include security considerations in their standard software development processes?
Have organizations experienced any security breaches related to internally-developed software vulnerability?
Do CIKR organizations require their internal developers to be trained in secure software development?
When organizations outsource their software development, are secure development processes a requirement for external outsourcers and contractors?
4. External IT security
To what extent do CIKR organizations currently open their IT systems to external parties such as customers, suppliers, and business partners?
If so, how are these relationships secured? Are there formal processes and safeguards in place?
5. The role of the U.S. Federal Government
Do CIKR organizations believe that the Federal Government should do more or less in terms of cyber security defenses and strategies?
What specific actions should the Federal Government take?
Page Count: 62
Table of Contents
Executive Summary
Report Conclusions
Introduction
Research Objectives
1. Risk Management
Research Findings
Respondents Are Unfamiliar with Cyber Supply Chain Security
What types of organizations are “very familiar” with cyber supply chain security?
The Current Security Landscape
ESG Data Insight
Security Breaches Cause System and Service Interruptions
ESG Data Insight
Cyber Supply Chain Security
Cyber Supply Chain Security and IT Procurement
Cyber Supply Chain Security and IT Vendors
ESG Data Insight
Cyber Supply Chain Security and Software Assurance(1)
ESG Data Insight:
ESG Data Insight:
Cyber Supply Chain Security and External IT(1)
ESG Data Insight:
Cyber Supply Chain Security: The Federal Government Role(1)
It seems like every day, a company announces a new cloud infrastructure service provider that it is getting into the cloud business. What makes this situation even more challenging for today’s CIO is that cloud infrastructure service providers all…